The U.S. Secret Service has called the criminals behind Target’s monster security breach well-organized, “highly technical” and “sophisticated.”

But Santa Clara cybersecurity firm McAfee said in a report out Monday that the heist was anything but exotic, describing the attack as a Breach 101 operation.

The thieves used easily modified off-the-shelf malware, common methods to hide the malware inside Target’s point-of-sale system and didn’t encrypt either the instructions on where to send the stolen card data or the card information itself as it was being transmitted out of Target to a remote server, a data stream that should have been detected and caught, McAfee said in its fourth quarter threats report.

“It’s all just there in black and white,” said Jim Walter, manager of McAfee’s Threat Intelligence Service. “As an attack, it is extremely unimpressive and unremarkable.”

Walter, the chief author of the Target section of the McAfee report, emphasized that he is “not passing any sort of judgment” on Target and couldn’t discuss compliance issues.

Nonetheless, the Target section of the report points the finger directly at the nation’s No. 2 discount retailer for a major security miss. The characterization contrasts with other depictions of the attack as highly sophisticated, and renews questions about why Target’s IT security team did not catch it and had to be informed by federal agencies there was a breach.

Target declined to comment specifically on McAfee’s report.

“While the investigation into this highly sophisticated crime is continuing, we remain committed to understanding the facts and making improvements,” Target spokeswoman Molly Snyder said.

Thieves made off with up to 110 million records from Target late last year after gaining access to its computer systems through the network credentials stolen from a heating and refrigeration vendor. The attack remains the subject of multiple investigations.

If investigators conclude Target wasn’t complying with industry standards for payment card security, the company will be subject to fines. The company could also be vulnerable to legal claims that it was negligent in its handling of the information.

McAfee, now part of Santa Clara-based Intel is not part of the official Target investigations. According to the report, it gained an understanding of the exact malware used at Target “in cooperation with various agencies.”

In early February, Target CFO John Mulligan testified in a Senate committee hearing that the company has invested “hundreds of millions of dollars” in a range of technology security such as segmentation, malware detection, intruder detection and multiple layers of firewalls.

“We have ongoing assessments and third parties coming in doing penetration testing of our systems, benchmarking us against others, assessing if we are in compliance with our own processes and control standards,” Mulligan told the committee.

McAfee’s report, however, paints a picture of a run-of-the-mill attack.

The BlackPOS-based malware may have been customized for Target’s systems, but it was “far from ‘advanced,’ ” it said: “The BlackPOS malware family is an ‘off-the-shelf’ exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality.”

The methods the thugs used to hide the malware on Target’s system were nothing new either, it said, calling it “standard practice” for criminals to evade the anti-malware and controls companies use for protection.

Thieves can easily get software online to test a company’s defenses and evade them, it said. “Software to test their targets’ defenses and exploit kits to evade those defenses are readily available online.”

In the interview, Walter said the thieves hid the malware on Target’s systems with variations of UPX and Armadillo, very common “packers” that created something like a wrapper around the malware.

More in Technology

Elon Musk unveiled his underground transportation tunnel on Tuesday, allowing reporters and invited guests to take some of the first rides in the revolutionary albeit bumpy subterranean tube — the tech entrepreneur's answer to what he calls "soul-destroying traffic."